[TriLUG] Suspicious behavior: have I been hacked?
Joey O'Doherty
joey at odoherty.net
Sun Feb 23 22:41:22 EST 2003
In that case,
# sudo apt-get install chkrootkit
Andrew Perrin wrote:
> I use debian, not redhat, so I can't use the .rpm advice. I checked most
> of the important binaries (top, ps, ls, bash) with an off-net debian
> machine of the same generation and found no differences in date or
> size. netstat shows nothing very interesting either.
>
> ap
>
>
> On Sun, 23 Feb 2003, Chris Hedemark wrote:
>
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Also a lot of rootkits are not smart enough to cover their tracks in
>>the rpm database, so you can use rpm to compare what it thinks should
>>be there with what is really there.
>>
>>On Sunday, February 23, 2003, at 10:08 PM, Jon Carnes wrote:
>>
>>
>>>boot with a rescue disk and check out your system. In particular look
>>>at the dates on your library files and on key binaries like top, ls,
>>>ps,
>>>netstat, etc... If you have another system running the same distro you
>>>can check your binaries against those.
>>>
>>>Using an unhacked netstat is a good way to find out if you've started
>>>to
>>>send/receive on ports that you shouldn't.
>>>
>>>This job is much easier if you have a back-up to compare with.
>>>Personally I use an unmounted partition with a copy of my etc and my
>>>/bin, /sbin, /usr/bin, /usr/sbin, and /lib directories. I can mount
>>>the
>>>partition read-only and run a automated checkup on my system using
>>>scripts and binaries located on the partition.
>>>
>>>Good Luck - Jon Carnes
>>>
>>>On Sun, 2003-02-23 at 21:48, Andrew Perrin wrote:
>>>
>>>>I came upstairs after a weekend mostly away from my computer to find
>>>>it in
>>>>a nearly-hung state. Load (by top) was >10, and there were numerous
>>>>/USR/SBIN/CRON entries which, from the logs, look like they were
>>>>trying to
>>>>run exim sessions:
>>>>
>>>>Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD ( if [ -x
>>>>/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ;
>>>>fi)
>>>>Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD ( if [ -x
>>>>/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ;
>>>>fi)
>>>>
>>>>
>>>>(etc., etc.)
>>>>
>>>>The other thing in the ps listing were several (three I think)
>>>>instances
>>>>of:
>>>>
>>>>modprobe -s -k -- net-pf-10
>>>>
>>>>I do not have such a module, either loaded or available on the disk.
>>>>
>>>>What's particularly worrisome is that this machine is behind another
>>>>machine running NAT, so it has only a private (192.168.0.x) address.
>>>>The
>>>>NAT machine has nothing particularly suspicious about it. last
>>>>commands on
>>>>both machine show only me logging in.
>>>>
>>>>I would be a happier person if someone could provide a non-suspicious
>>>>explanation for this.
>>>>
--
pub 1024D/B663781B 2001-11-13 Joey O'Doherty <joey(at)odoherty(dot)net>
Key fingerprint = F76B 9ACA 4197 C707 6E4D 2B78 E430 101A B663 781B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 251 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030223/e3ef0148/attachment.pgp>
More information about the TriLUG
mailing list